If there ever was a time for CFOs to focus on budgeting for healthcare security, that time is now. The healthcare industry saw an alarming 239% increase in large-scale data breaches over the past four years. And while cybersecurity might not be every CFO’s strong suit, they are the best in the world at mitigating financial risk.
Generally, CFOs are putting more and more into their cybersecurity budget. Yet, the growing number of cybersecurity attacks continues to challenge these strategies.
Related Reading: Looking Ahead at the Cybersecurity Landscape for Healthcare in 2024
CFOs might think cybersecurity should be left to their Chief Information Security Officer (CISO). However, there has never been a more crucial time for CFOs to recognize their part in reducing cybersecurity risk.
Why? The stats above and the threat landscape demand a different perspective from CFOs. This article seeks to address this perspective and how CFOs should approach cybersecurity.
Simply put, the threat of attacks in healthcare is serious. Breaches can be very costly because they involve highly sensitive patient data. So, it’s important that CFOs realize how much their financial decisions affect their overall security position.
There is no way to put it lightly - with the average cost of a healthcare data breach at $10.93 million, a cybersecurity attack is a nightmare for CFOs.
Just one attack could severely damage the bottom line and lead to long-lasting issues, including:
Plus, the healthcare industry is heavily regulated due to sensitive patient data. Most companies are required to comply with several frameworks at once, such as HIPAA, HITRUST, GDPR (for EU), and PCI DSS (for payment card information).
Compliance violations can lead to huge penalties. Plus, having multiple frameworks means those fines could double or triple, costing thousands or even millions of dollars.
For a real-life example, look at what happened with the recent UnitedHealthcare security breach. This one attack is thought to have affected “maybe a third” of the American population. Hackers apparently obtained over six TB of sensitive patient data, leading to at least six class action lawsuits. To date, this event is costing healthcare providers an estimated $100 million… daily.
If we look closer at this incident, we see another alarming trend across the industry - consolidation. The cybersecurity attack targeted Change Healthcare, which is a subsidiary of UnitedHealth Group that it acquired in 2022.
While we are not saying this consolidation is directly to blame, it is worth noting that increased consolidation results in increased information sharing. And, as the number of parties increases, so does the risk of breaches.
Related Resource: How Ransomware Has Caused Patient Deaths in Healthcare
But before we look at how CFOs can strategize their plan for risk management in healthcare, let us see how the rest of the industry is doing it.
The UnitedHealthcare security breach has experts second-guessing how well the healthcare industry is prepared for attacks. According to these experts, cybersecurity spending is simply not on par with the growing scale and threat of these incidents.
With so many challenges in the healthcare industry, CFOs must firmly make the case for cybersecurity spending. Especially since these other challenges are competing for their budget. And that means CFOs have to make the case that investing in cybersecurity is more important than other issues, including more “traditional” investments.
CFOs are also able to influence the board on the importance of cybersecurity spending. While it may prove tricky to convince them, the key is that their status as CFO (financial decision maker/ risk mitigator) makes them a pivotal player in advocating for security spending.
Related Resource: Social Engineering Threats in Healthcare
CFOs need to take a proactive approach to prevent attacks and build up their defense. All while still meeting their financial goals. This responsibility falls squarely on the shoulders of CFOs. So, where should they start, given that measuring the returns on security investments is not straightforward?
CFOs are, understandably, numbers people. However, they cannot put a figure on the growing potential threat of cybersecurity attacks. We only know the attacks appear to be increasing and more sophisticated over time.
This makes it hard to measure ROI depending on security investments. And that is not a position CFOs are happy to be in. But there are ways that they can measure cybersecurity success:
To quantify risk, CFOs must look at two major factors: their internal security position and the external threat landscape.
Internal Security Position
The first question for CFOs to ask themselves is how they measure risk. And what does success look like?
They can start by defining important benchmarks and assigning key performance indicators (KPIs) across their security platform. For example, they can track the number of security incidents detected and mitigated or the average time to catch and respond to threats. Or, for the savvy CFO, the percentage that cybersecurity-related costs reduce over time.
With these factors in mind, CFOs can make more informed decisions when it comes to using resources and goal-setting. Plus, tracking KPIs can give them insight into what is worth investing in to get the best ROI.
Once they have established the overarching plan, they can go deeper and start creating KPIs for any part of their strategy that they spend money on. In other words, CFOs have to manage both the strategy and the tactics. This will give them insight into how each area of investment is making an impact.
For one example, they could set KPIs for their Data Loss Prevention (DLP) system, such as:
As CFOs invest more, they should expect to see reduced data leak incidents, faster data leak control times, and improved compliance rates.
External Threat Landscape
CFOs may think evaluating the current threat landscape is too foreign. However, it is no different from any other careful business evaluation.
Aspects like sensitive patient information make the healthcare industry unique in its threats and challenges. As CFOs evaluate these threats, they can consider:
Optimizing your organization's costs starts with analyzing your cybersecurity investments. With KPIs in mind, see areas where your organization can enhance efficiency without compromising on your security standards.
Your approach may vary, but different cost savings ideas include leveraging cloud-based solutions (rather than cumbersome on-prem solutions), outsourcing to Managed Security Service Providers (MSSPs) rather than hiring in-house staff or combining your security stack for streamlined functionality and reduced overhead.
Of course, keeping track of your progress and adjusting as necessary is just as important as tracking KPIs and optimizing costs. Your organization can do this through a three-step assessment that thoroughly evaluates your cybersecurity tech investments. To break it down simply, your assessment should look like this:
Discover phase: Start by conducting a detailed examination of your current cybersecurity position and maturity to determine where your security posture stands.
Analysis phase: Once your organization's position is thoroughly examined, assess your healthcare business for potential security gaps against multiple frameworks and create a plan to remediate those gaps.
Synthesis phase: Combining all of your information plus feedback from cybersecurity experts and stakeholders, create a clear roadmap of action that addresses every shortcoming, improves your posture, and aligns with future financial goals.
Or run your assessment based on a specific compliance framework. The best compliance assessment approach is to:
Start with a control set that is deemed appropriate for your organization (such as HIPAA, HITRUST, etc.).
Measure how well your organization is performing against one specific framework.
Create a specific plan to adjust your security investments for maximum returns and the best possible bang for your buck. Again, keep in mind your team will have to be both strategically-minded and tactically efficient to be successful as you assess and adjust accordingly.
With all of these considerations in mind, start thinking about specific tools to streamline this process.
We briefly mentioned Data Loss Prevention (DLP) systems earlier. DLP is a set of tools designed to safeguard sensitive information from unauthorized access. One example is Microsoft Purview, which is a worthwhile healthcare investment in protecting confidential patient information. Plus, it is designed to quickly aid in stopping and controlling a data leak incident in the event of a breach.
In fact, there is currently a 90-day Purview trial available for customers with a Microsoft 365 E3 license. Customers with a Microsoft 365 E5 license already have Purview included.
More comprehensive than Microsoft 365 E3, the E5 certification includes everything E3 does plus advanced security (including Advanced Threat Protection and Azure Active Directory Premium P2), threat intelligence, compliance, and analytics features. While E3 licenses are better suited to keeping only the essentials at a lower cost, E5 licenses add a wealth of features and enhanced security that are ideal for larger organizations with bigger budgets.
However, just owning E5 is insufficient to justify investing in it or expect optimal cybersecurity outcomes. If your organization is concerned about unlocking the full potential of Microsoft E5, then Microsoft MXDR might be worth the security investment.
Microsoft Managed Extended Detection and Response (MXDR) is a service that combines a comprehensive suite of Microsoft tools with support and expert analysis. MXDR can detect, respond to, and mitigate cybersecurity threats, and comes with the support of dedicated security expertise to ensure your organization gets the maximum value out of the platform. In other words, leveraging the full suite is challenging without the help of experienced security experts who enable your organization to make the most of its advanced features (and your investment).
Related Resource: Simplify Data Governance in Healthcare with Microsoft Purview: A Strategic Guide for Security Professionals
Balancing your cybersecurity budget and meeting organizational goals is no small feat. But, as a CFO, you’re uniquely qualified to improve your overall security position with the right healthcare security budget, thereby preventing costly breaches.
If this process still sounds daunting, keep in mind that you can outsource your security solution implementation to an experienced MSSP to help navigate your unique security challenges more effectively.
Reach out to Avertium today to learn how we can make implementation as straightforward as possible for your organization.
Check out our Blog on, "What Does the Microsoft e5 License Mean for Your Cybersecurity?"